CN109388617A - A kind of determination method and device of document time stamp confidence level - Google Patents
A kind of determination method and device of document time stamp confidence level Download PDFInfo
- Publication number
- CN109388617A CN109388617A CN201811283492.4A CN201811283492A CN109388617A CN 109388617 A CN109388617 A CN 109388617A CN 201811283492 A CN201811283492 A CN 201811283492A CN 109388617 A CN109388617 A CN 109388617A
- Authority
- CN
- China
- Prior art keywords
- timestamp
- time stamp
- file
- confidence level
- determination method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses the determination methods and device of a kind of document time stamp confidence level, are related to electronic data evidence obtaining identification field.This method comprises: obtaining timestamp of the file to be determined recorded in file system, and the timestamp is converted into the decimal system;The number for determining the timestamp end zero is N;As the N >=preset threshold n, determine that the document time stamp to be determined is insincere.Technical solution of the present invention can effectively determine whether the timestamp information of file is tampered, and detect to heap file with can be convenient, and improve the reliability of files electronic data, filled up the blank of document time stamp confidence level determination method.
Description
Technical field
The present invention relates to electronic data evidence obtainings to identify field, in particular to a kind of determination method of document time stamp confidence level
And device.
Background technique
Matter of time is the basis of one of key problem of electronic data evidence obtaining and all identification and analysis, once the time
It can not accurately determine, then the confidence level for the result studied and judged, which can give a discount, notably to be completely lost.Time distorts, and there are mainly two types of sides
Formula, one is modification system times, so as to cause the time passive mistake of file record;Another kind be directly tamper with a document when
Between stab information.
Judge whether the operating system time credible (may be tampered) at present, mainly by the event log of operating system come
Judgement.And for the latter, i.e., the case where the timestamp information directly to tamper with a document, not yet effective determination method at present.
Summary of the invention
In order to overcome technical problem as described above, the present invention propose a kind of document time stamp confidence level determination method and
Device, can effectively determine whether the timestamp information of file is tampered, and detect to heap file with can be convenient, and improve
The reliabilities of files electronic data, has filled up the blank of document time stamp confidence level determination method.
Specific technical solution of the present invention is as follows:
In a first aspect, the present invention proposes a kind of determination method of document time stamp confidence level, comprising:
Timestamp of the file to be determined recorded in file system is obtained, and the timestamp is converted into the decimal system;
The number for determining the timestamp end zero is N;
As the N >=preset threshold n, determine that the document time stamp to be determined is insincere.
Further, the timestamp for obtaining file to be determined recorded in file system, and by the timestamp
Before being converted to the decimal system, further includes:
It identifies file system type, determines timestamp type to be treated.
Further, before the number at the determination timestamp end zero is N, further includes:
Timestamp of the file to be determined recorded in file system is converted into the decimal system.
Further, the number at the determination timestamp end zero includes: for N
Note T is the timestamp for obtaining file to be determined recorded in file system,
S1: T is let R be to 10 progress complementations as a result, i.e. R=T%10;
S2: if R ≠ 0, next step operation is carried out, otherwise T=T/10, N=N+1, re-start the operation of S1;
S3: the number for determining the time stamp T end zero is N.
Second aspect, the present invention propose a kind of decision maker of document time stamp confidence level, including processor and memory,
The memory is stored with an at least Duan Chengxu, and described program is executed by the processor to realize text as described in relation to the first aspect
The determination method of part timestamp confidence level.
The third aspect, the present invention propose a kind of computer readable storage medium, at least one are stored in the storage medium
Duan Chengxu, at least one section of program are executed by the processor to realize document time stamp confidence level as described in relation to the first aspect
Determination method.
Technical solution provided by the invention has the benefit that
The present invention passes through the timestamp for obtaining file to be determined recorded in file system first, and by the timestamp
Be converted to the decimal system;The number for determining the timestamp end zero is N;As the N >=preset threshold n, determine described wait sentence
It is insincere to determine document time stamp.This is because under normal circumstances, i.e. it is to be determined in the case that the timestamp of file is not tampered with
The timestamp end of file does not have too many zero, if the digit at timestamp end zero is greater than some threshold value, it is possible to determine that described
Document time stamp to be determined is insincere.This method can effectively determine whether the timestamp information of file is tampered, and can be convenient
Ground detects heap file, improves the reliability of files electronic data, has filled up document time stamp confidence level judgement side
The blank of method.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill of field, without creative efforts, it can also be obtained according to these attached drawings others
Attached drawing.
Fig. 1 show a kind of schematic diagram of the determination method of document time stamp confidence level of the present invention;
Fig. 2 shows the determination method schematic diagrames of another document time stamp confidence level;
Fig. 3 show a kind of flow chart of the determination method of document time stamp confidence level;
Fig. 4 show the file information schematic diagram in the embodiment of the present invention in certain new technology file system;
Fig. 5 show a kind of schematic diagram of locating file timestamp in the present invention;
Fig. 6 shows the decision maker schematic diagram of document time stamp confidence level involved in the embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Case is described in further detail.
In general, the time precision of file system is much higher than the second, it is believed that the timestamp modified, precision is relatively low, absolutely
It in most cases can only be to the second.If the precision of some file system timestamp is m seconds, m is generally much less than 1, document time stamp
Decimal recording value is that the probability of whole second isThat is, in most cases, timestamp end does not have too many zero,
If the digit at timestamp end zero is more than some threshold value, it is possible to determine that the document time stamp to be determined is insincere.
It is as shown in Figure 1 a kind of schematic diagram of the determination method of document time stamp confidence level of the present invention, shows this method
Specific implementation step, comprising:
It should be noted that file system be operating system for clearly store equipment or the file on subregion method and
Data structure, the i.e. method of constituent act on a storage device, and the mode of different file system organization files and different,
But all can in record system file various information, wherein just including the timestamp of file.
In a step 101, timestamp of the file to be determined recorded in file system is obtained, and the timestamp is turned
It is changed to the decimal system;
In possible practical operation, the timestamp of file be record file be created, modify or access etc. operations when
Between point, and the form of file system record time is usually that file system can be with time that starting time to the time point is passed
Record the timestamp of file, wherein the earliest time value that can recorde in certain specific file system, in a kind of possible reality
In operation, new technology file system starting time is 0 minute 0 point of on January 1st, 1601.
In a step 102, the number for determining the timestamp end zero is N;
Timestamp of the file to be determined recorded in file system is got by step 101, and is converted to the decimal system
Later, the number at the timestamp end zero is determined in this step.In a kind of possible realization, the determination time
Stamp end zero number include: for N
Note T is the timestamp for obtaining file to be determined recorded in file system,
S1: T is let R be to 10 progress complementations as a result, i.e. R=T%10;
S2: if R ≠ 0, next step operation is carried out, otherwise T=T/10, N=N+1, re-start the operation of S1;
S3: the number for determining the time stamp T end zero is N.
In step 103, as the N >=preset threshold n, determine that the document time stamp to be determined is insincere.
Preset threshold n in this step, in a kind of possible realization, preset threshold n is according to the file system
The time precision of type determines that the preset threshold n is positive integer.It should be noted that document time stamp precision here is
Refer to the minimum particle size that document time stamp can be differentiated.In a kind of more specific practical operation, the file system is NTFS text
Part system, the time precision of the file system type were 100 nanoseconds, and the preset threshold n is 7, that is to say, that in such reality
During applying, when by step 102 determine obtain timestamp end zero number N >=7 when, file to be determined will be judged to
It is insincere to be set to timestamp, cannot function as believable electronic data.
It should be noted that the determination method of document time stamp confidence level described in embodiment corresponding to Fig. 1 can be with
The confidence level for carrying out determining document time stamp by obtaining the timestamp information of specified file automatically, can realize step automatically
Rapid 101, to step 103, detect heap file to realize, improve the effect for determining the confidence level of files electronic data
Rate and reliability.
The present embodiment passes through the timestamp for obtaining file to be determined recorded in file system first, and by the time
Stamp is converted to the decimal system;The number for determining the timestamp end zero is N;As the N >=preset threshold n, determine it is described to
Determine that document time stamp is insincere.This is because under normal circumstances, i.e. in the case that the timestamp of file is not tampered with, wait sentence
The timestamp end for determining file does not have too many zero, if the digit at timestamp end zero is greater than some threshold value, it is possible to determine that institute
It is insincere to state document time stamp to be determined.This method can effectively determine whether the timestamp information of file is tampered, Ke Yifang
Just heap file is detected, improves the reliability of files electronic data, filled up the judgement of document time stamp confidence level
The blank of method.
The determination method schematic diagram of another document time stamp confidence level as shown in Figure 2, shows the specific of this method
Implementation steps, comprising:
In step 200, it identifies file system type, determines timestamp type to be treated.
It should be noted that the precision of timestamp might not be identical, moreover, for same in different file system
The file system of type, different timestamp types, the precision of timestamp are also not necessarily identical.Therefore, following step is being executed
Before, it needs first to identify file system type, determines timestamp type to be treated.
In step 201, timestamp of the file to be determined recorded in file system is obtained, and the timestamp is turned
It is changed to the decimal system;
In step 202, the number for determining the timestamp end zero is N;
In step 203, as the N >=preset threshold n, determine that the document time stamp to be determined is insincere.
Above-mentioned steps 201 to step 203 with the step 101 in Fig. 1 to step 103, referring specifically to the related embodiment of Fig. 1
Illustrate, just repeats no more here.
It is illustrated in figure 3 a kind of flow chart of the determination method of document time stamp confidence level, shows the specific of this method
Implementing procedure, comprising:
In step 301, identifying system file type determines timestamp type to be treated;
In step 302, setting n is some constant, and N=0 is arranged;
In step 303, record value of some timestamp in file system is obtained;
In step 304, the timestamp record value that will acquire is converted to the decimal system, is denoted as T;
In step 305, T is let R be to 10 progress complementations as a result, i.e. R=T%10;
Within step 306, judge whether R is equal to zero, if R is equal to zero, enter step 307, if R is not equal to zero, into step
Rapid 308,;
In step 307, if T=T/10, N=N+1;
In step 308, judge whether N is less than n, if N < n, the conclusion for not finding the suspicious place of the timestamp is provided, if N
>=n provides the incredible conclusion of the timestamp.
It further, is the feasibility of the mentioned technical solution of the verifying present invention, in a kind of possible practical operation, when such as
When file system in embodiment corresponding to Fig. 3 is new technology file system, it should be noted that when new technology file system file
Between stamp record format be FILETIME, the FILETIME format time is a string of 64 16 hex values, and record is from 1601 1
Month 1 day 0 point of time to have passed since 0 minute, unit was 100 nanoseconds.First using Bulkfilechanger, NewFileTime,
Any one in the tools such as Bulk Rename Utility, WinHex modifies to the timestamp of file, using in the application
The method of description is tested, and can successfully be determined, specific implementation process is as follows:
It is illustrated in figure 4 the file information schematic diagram in the embodiment of the present invention in certain new technology file system, including filename
" newly-built text document .txt ", Windows operating system show its creation time be the 17:51:36 on the 5th of August in 2018 (UTC+8:
00) information such as.
Based on above- mentioned information, determination step below is carried out:
Step 1: identification file system is NTFS, the creation time of this document is selected;
Step 2: setting n=7, N=0;
Step 3: obtaining the original note of the creation time of this document by the metadata of this document in Study document system
Record value is 01D3E456A7F44400.It should be noted that offset of the file record of this document in disk is
0x31050, length are 8 bytes, are recorded in the form of small end (Little-Ending), i.e. 0044F4A756E4D301 is converted
For big end (Big-Ending) form, i.e. 01D3E456A7F44400 is illustrated in figure 5 a kind of locating file time in the present invention
The schematic diagram of stamp;
01D3E456A7F44400 is converted to the decimal system, i.e. T=131699874960000000 by the 4th step;
5th step, R=131699874960000000%10=0;
6th step, T=131699874960000000/10=13169987496000000, N=0+1=1;
It is apparent from, is recycled by 7 times, R=6 ≠ 0, N=7;
The relationship of 7th step, N and n meet N >=n, judge that the creation time of this file is insincere.
As Fig. 6 shows the decision maker schematic diagram of document time stamp confidence level involved in the embodiment of the present invention, the dress
Setting mainly includes processor 601, memory 602 and bus 603, and the memory is stored with an at least Duan Chengxu, described program
The determination method to realize the document time stamp confidence level as described in above-described embodiment is executed as the processor.
Processor 601 includes one or more processing cores, and processor 601 passes through bus 603 and 602 phase of memory
Even, memory 602 realizes the above method when executing the program instruction in memory 602 for storing program instruction, processor 601
The determination method for the document time stamp confidence level that embodiment provides.
Optionally, memory 602 can be by any kind of volatibility or non-volatile memory device or their group
It closes and realizes, such as static to access memory (SRAM) at any time, electrically erasable programmable read-only memory (EEPROM) is erasable to compile
Journey read-only memory (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash
Device, disk or CD.
The present invention also provides a kind of computer readable storage medium, be stored in the storage medium at least one instruction,
At least a Duan Chengxu, code set or instruction set, at least one instruction, an at least Duan Chengxu, code set or instruction set are by institute
State processor load and execute with realize above method embodiment provide document time stamp confidence level determination method.
Optionally, the present invention also provides a kind of computer program products comprising instruction, when it runs on computers
When, so that computer executes the determination method of document time stamp confidence level described in above-mentioned various aspects.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store computer-readable with one kind
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not used to limit invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (8)
1. a kind of determination method of document time stamp confidence level characterized by comprising
Timestamp of the file to be determined recorded in file system is obtained, and the timestamp is converted into the decimal system;
The number for determining the timestamp end zero is N;
As the N >=preset threshold n, determine that the document time stamp to be determined is insincere.
2. the determination method of document time stamp confidence level according to claim 1, which is characterized in that the acquisition is to be determined
Timestamp of the file recorded in file system, and before the timestamp is converted to the decimal system, further includes:
It identifies file system type, determines timestamp type to be treated.
3. the determination method of document time stamp confidence level according to claim 2, which is characterized in that the preset threshold n
It is to be determined according to the time precision of the file system type, the preset threshold n is positive integer.
4. the determination method of document time stamp confidence level according to claim 3, which is characterized in that the file system is
New technology file system, the time precision of the file system type were 100 nanoseconds, and the preset threshold n is 7.
5. the determination method of document time stamp confidence level according to claim 1, which is characterized in that the timestamp packet
It includes: creation time, modification time or access time.
6. the determination method of document time stamp confidence level according to claim 5, which is characterized in that when the determination is described
Between stab end zero number include: for N
Note T is the timestamp for obtaining file to be determined recorded in file system,
S1: T is let R be to 10 progress complementations as a result, i.e. R=T%10;
S2: if R ≠ 0, next step operation is carried out, otherwise T=T/10, N=N+1, re-start the operation of S1;
S3: the number for determining the time stamp T end zero is N.
7. a kind of decision maker of document time stamp confidence level, which is characterized in that including processor and memory, the memory
It is stored with an at least Duan Chengxu, described program is executed by the processor to realize the file as described in claim 1 to 6 is any
The determination method of timestamp confidence level.
8. a kind of computer readable storage medium, which is characterized in that an at least Duan Chengxu is stored in the storage medium, it is described
At least one section of program is executed by the processor to realize such as the document time stamp confidence level as described in claim 1 to 6 is any
Determination method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811283492.4A CN109388617B (en) | 2018-10-31 | 2018-10-31 | Method and device for judging reliability of file timestamp |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811283492.4A CN109388617B (en) | 2018-10-31 | 2018-10-31 | Method and device for judging reliability of file timestamp |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109388617A true CN109388617A (en) | 2019-02-26 |
CN109388617B CN109388617B (en) | 2020-10-30 |
Family
ID=65428060
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811283492.4A Active CN109388617B (en) | 2018-10-31 | 2018-10-31 | Method and device for judging reliability of file timestamp |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109388617B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112733187A (en) * | 2021-01-11 | 2021-04-30 | 重庆邮电大学 | Digital evidence obtaining, analyzing and identifying method based on time attribute |
CN113032343A (en) * | 2021-03-23 | 2021-06-25 | 杭州安恒信息技术股份有限公司 | Method and device for judging credibility of file modification time and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101720455A (en) * | 2007-06-08 | 2010-06-02 | 桑迪士克公司 | Memory device with circuitry for improving accuracy of a time estimate and method for use therewith |
CN102646259A (en) * | 2012-02-16 | 2012-08-22 | 南京邮电大学 | Anti-attack robustness multiple zero watermark method |
US20160292189A1 (en) * | 2015-03-31 | 2016-10-06 | Advanced Digital Broadcast S.A. | System and method for managing content deletion |
-
2018
- 2018-10-31 CN CN201811283492.4A patent/CN109388617B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101720455A (en) * | 2007-06-08 | 2010-06-02 | 桑迪士克公司 | Memory device with circuitry for improving accuracy of a time estimate and method for use therewith |
CN102646259A (en) * | 2012-02-16 | 2012-08-22 | 南京邮电大学 | Anti-attack robustness multiple zero watermark method |
US20160292189A1 (en) * | 2015-03-31 | 2016-10-06 | Advanced Digital Broadcast S.A. | System and method for managing content deletion |
Non-Patent Citations (1)
Title |
---|
王玲玲: "抗合谋攻击的无可信中心门限签名方案", 《计算机系统应用》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112733187A (en) * | 2021-01-11 | 2021-04-30 | 重庆邮电大学 | Digital evidence obtaining, analyzing and identifying method based on time attribute |
CN113032343A (en) * | 2021-03-23 | 2021-06-25 | 杭州安恒信息技术股份有限公司 | Method and device for judging credibility of file modification time and storage medium |
CN113032343B (en) * | 2021-03-23 | 2022-08-16 | 杭州安恒信息技术股份有限公司 | Method and device for judging credibility of file modification time and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109388617B (en) | 2020-10-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220075794A1 (en) | Similarity analyses in analytics workflows | |
CN107808094A (en) | The system and method for detecting the malicious code in file | |
US9128832B2 (en) | Performing diagnostic tracing of an executing application to identify suspicious pointer values | |
Kim et al. | Forensic analysis of android phone using ext4 file system journal log | |
CN106528794B (en) | Electronic file filing method based on archive management system | |
CN110737892B (en) | Detection method aiming at APC injection and related device | |
EP3091451A1 (en) | Database rollback using wal | |
CN109344579A (en) | A kind of determination method and device of time confidence level | |
Geier | The differences between SSD and HDD technology regarding forensic investigations | |
CA2816781A1 (en) | Identifying client states | |
CN109388617A (en) | A kind of determination method and device of document time stamp confidence level | |
CN111382126B (en) | System and method for deleting file and preventing file recovery | |
Casey | Digital stratigraphy: contextual analysis of file system traces in forensic science | |
US11526506B2 (en) | Related file analysis | |
Billard et al. | Making sense of unstructured flash-memory dumps | |
CN106557572A (en) | A kind of extracting method and system of Android application program file | |
JP2011158966A (en) | Apparatus, method and program for processing information | |
US8407187B2 (en) | Validating files using a sliding window to access and correlate records in an arbitrarily large dataset | |
CN115543918A (en) | File snapshot method, system, electronic equipment and storage medium | |
US9116915B1 (en) | Incremental scan | |
CN104615948A (en) | Method for automatically recognizing file completeness and restoring | |
CN103699838A (en) | Identification method and equipment of viruses | |
CN109002710A (en) | A kind of detection method, device and computer readable storage medium | |
CN103049534A (en) | Method for quickly destroying data of database | |
Park et al. | An enhanced security framework for reliable Android operating system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |